ChatGPT and other AI tools make our everyday work easier. They can come up with creative ideas for us, write stories, and summarize what would take us hours of internet research in a matter of seconds. Cool right? But with great power comes great responsibility. In the wrong hands, ChatGPT and other tools can be exploited by scammers and cybercriminals. We wanted to see how ChatGPT could simplify the work of a scammer, so we asked it for help writing a phishing email. Keep reading to see what ChatGPT delivered!
Phishing emails in the world of AI
Phishing remains one of the biggest IT security threats today. With each new technological development, the work of sending out phishing emails gets easier and easier. For instance, spell-check, grammar correction software, and tone-reading tools can make phishing emails seem more legitimate by removing linguistic errors or tell-tale signs of a phishing email. Other tools like phishing kits have made it easier than ever for scammers to create realistic-looking phishing emails. New AI tools like ChatGPT take this threat to the next level. They can easily be manipulated to write fake emails that scammers can reproduce and customize – for free.
So, to get a better idea of what phishing email creation looks like in the world of new AI tools, come along with me. I get ChatGPT to write me phishing email templates, tell me what good topics for a phishing email could be, and when I should send out a phishing email to get the best response rate.
ChatGPT has to follow an ethical code, but it can still be exploited
I started out by bluntly asking ChatGPT to pretend to be a cybercriminal and write me a phishing email. At first, ChatGPT didn’t give me anything, due to the ethical code it must follow.
ChatGPT has been trained in ethical information production, but that didn’t stop it from giving me some tips on how to write a phishing email.
ChatGPT also gave me some topics that phishing emails can cover.
And ChatGPT gave me some hints about how malicious links or attachments in phishing emails work.
It even gave me the names of some tools that can be used to write and send malicious emails easily.
You’ll see here that ChatGPT willingly gave me a lot of information that could help a potential cybercriminal learn about how to make a good phishing email, along with tips for writing one, subjects, and software or other tools that can be used in a scam.
ChatGPT also mentioned several times the importance of training employees to understand the dangers of phishing and to recognize the signs of a phishing email. We'll come back to that later.
ChatGPT won’t explicitly write you a phishing email
As you can see from my conversation with ChatGPT above, the tool won’t knowingly write me a phishing email due to its ethical code. However, it will provide valuable information that can make writing and sending phishing emails easier.
Once I realized that ChatGPT couldn’t be taken advantage of so easily, I had to get a bit crafty. I took a new approach and started asking ChatGPT for help with innocent requests, like drafting emails to notify my employees of a gift card or a mandatory security update – things that ChatGPT told me were frequently used phishing hooks. And ChatGPT was more than happy to comply.
But ChatGPT will happily write you email templates.... that can be repurposed for phishing
Here you can see some of the email templates that ChatGPT wrote for me. With just a little bit of information about the target recipient or organization, these templates could be customized for use in a phishing attack. They even have many signs of a social engineering attack because they create urgency, curiosity, and desire for a reward.
Example phishing email #1
First, I asked ChatGPT for an email template about a gift card – a common phishing theme.
Example phishing email #2
Then, I requested an email asking the recipient to open an attachment by the end of the day.
Example phishing email #3
Next, I asked ChatGPT for an email about an online review of a company – something employees would naturally be curious about and want to click the link to see.
Example phishing email #4
Then, I asked for an email about downloading a new security program to their work laptops.
In a matter of a minute, ChatGPT gave me four grammatically correct and well-written emails that I could use in phishing campaigns. I bet you’ve received a legitimate email like this before! ChatGPT was trained on real emails, so it can mimic email communication for various purposes and in different tones – from fun and casual to professional. Of course, some of the language might need to be adjusted so that it matches the target audience, but ChatGPT did all the hard work for me.
I took it a step further and asked ChatGPT for the most common email topics
A good phishing email blends in with the other emails we receive, so it doesn’t raise the alarm bells quite as easily. So, I put myself in the cybercriminal’s shoes and asked ChatGPT for ideas on what kinds of emails people receive most often.
And from ChatGPT’s response, I asked it to write me another email template – this time based on one of the common emails we receive, event invitations.
Phishing email example #5
Here’s the event invitation email that ChatGPT wrote for me. If I had included more detail in my request, e.g., specific industry, event topic, date, etc., the email would have been even more realistic.
And then, I asked ChatGPT to make the subject line more interesting. I used my learnings from my first conversation with ChatGPT, where it told me that it’s important to use a catchy subject line so that people are motivated to open the email.
ChatGPT gave me catchy subject line options
Here are a few examples of subject lines ChatGPT gave me to make the email more clickable. It even gave me several different options – and it would have given me more if I asked.
Well equipped with the email templates from ChatGPT, I finished our conversation by asking for some hints about when I should send out my emails for the best response rate. Again, for the cherry on top, ChatGPT happily provided me with insights on the best time to send the emails out.
ChatGPT speaks a lot of languages
The AI tool has raised eyebrows about its understanding of coding languages like Python. It doesn’t stop there though. ChatGPT can translate text into other languages. This means that ChatGPT can simplify the task of translating emails into the target audience’s language. With very minimal effort, ChatGPT can give me the same email in many different languages. For example, I asked ChatGPT to translate the gift card email template from English into Danish.
The translation isn’t perfect – there are a few grammar and vocabulary mistakes. But remember that we did this test with the first and most basic form of ChatGPT. If tech innovation tells us anything, it’s that advancements keep coming. So, you can imagine what ChatGPT and other AI tools will be capable of six months from now, or even a year from now. It’s likely that responses in other languages will become more accurate and reliable.
ChatGPT can be easily manipulated by cybercriminals
In total, I spent no more than 15 minutes chatting with ChatGPT – and in that time, ChatGPT gave me five different phishing email templates, subject line options, topics for phishing emails, tools I could use to develop and send phishing emails, and the time I should send out my phishing emails.
As long as ChatGPT didn’t know I was using the information for the purpose of sending out a phishing email, it was happy to give me what I asked for.
Even though ChatGPT has been trained to follow ethical guidelines, it’s really easy to work around this by rephrasing your questions to seemingly innocent requests. If I was able to get this information from ChatGPT in a few minutes, so could the cybercriminals.
Open AI's Playground tool is very easy to manipulate
Playground is a tool by OpenAI, the creator of ChatGPT. The principle is the same – you give Playground a prompt and it returns content in seconds. While Playground is free, it does have a time limit. But most important for IT security, Playground has fewer ethical limitations than ChatGPT. I asked Playground for a phishing email, and it gave me one - no questions asked or hesitations. Here’s two examples:
It’s clear that Playground can easily be exploited by cybercriminals who want new phishing email templates. So even though ChatGPT is more well-known than Playground, the two tools show the variety of ethical standards that AI tools are trained to follow. They also show that sometimes a cybercriminal has to do the bare minimum to get AI to write a phishing email.
The bottom line: ChatGPT and other AI tools make phishing easier than ever
As you’ve seen, ChatGPT makes phishing easier than ever by taking the pain of writing phishing emails away. Its email generating skill can be used as both an innocent time-saving tool and a malicious content creator, like for phishing emails.
Phishing training becomes more important
Phishing is already the most dangerous cybersecurity threat that companies face. But with new AI tools like ChatGPT widely available for free, the threat becomes even larger. There is no doubt that phishing attempts will increase as it becomes easier to produce and send these scams.
Training your team to recognize phishing and social engineering is more important than ever. That’s why we at CyberPilot focus on training our employees to become our strongest defense against IT security threats. Through both phishing testing and security awareness training, we help organizations protect themselves against cybersecurity threats as they evolve.